Enhanced.io flags MSP blind spots in security coverage

Enhanced.io has published its MSP Security Coverage Report 2026, examining how managed service providers cover five security attack surfaces.

The study argues that identity, IoT and OT have become major blind spots because there is no neutral public measure of how often managed service providers monitor those areas for clients.

Managed service providers play a central role in cybersecurity for small and medium-sized businesses, which often rely on outside firms to monitor threats across their systems. The report reviews published research from Verizon, Microsoft, IBM, ISC2, Sophos and ConnectWise to assess security coverage across endpoint, network, cloud, identity, and IoT and OT.

Rather than surveying providers, Enhanced.io compiled public evidence published between January 2024 and June 2026. It framed the exercise around two questions for each attack surface: whether managed service providers are monitoring it for clients, and whether anyone is measuring that coverage.

Endpoint focus

Endpoint security remains the best-covered and best-documented area, the report found. It cited Sophos MSP Perspectives 2024, which found that 81% of managed service providers offer some form of managed detection and response for endpoint environments.

That makes endpoint the only one of the five surfaces where coverage appears mature. The other categories show either patchy coverage, weak public measurement, or both.

Cloud gap

Cloud security emerged as the clearest measured shortfall. Enhanced.io cited ConnectWise research from March 2025 showing that only about one-third of managed service providers consistently secure clients' Microsoft 365 environments.

The report also pointed to data from Microsoft Digital Defence Report 2025 showing that destructive cloud campaigns rose 87% year on year. That contrast between growing threat activity and relatively low coverage is central to its argument.

Identity blind spot

Identity security was presented as a particularly high-risk area, but with little hard data on managed service provider coverage. The report cited Verizon's 2025 Data Breach Investigations Report, which found credential abuse in 22% of all breaches.

Despite that, Enhanced.io said no neutral source publishes an identity monitoring rate for businesses that rely on managed service providers. The company argues that without that figure, the industry cannot judge whether one of the most important attack paths is being monitored consistently.

The network interior also appears to be under-watched. The report cited Verizon data showing that edge devices and VPNs rose from 3% to 22% of exploitation-based initial access in a single year, while many managed service provider security services still focus mainly on the firewall.

Unmeasured devices

IoT and OT was described as the surface with the least visibility in public data. Enhanced.io said it found no public source reporting how many managed service providers monitor those devices on behalf of clients.

It treated that lack of measurement as a finding in itself rather than a gap to ignore. The absence of public tracking matters, the report said, because connected devices in operational and industrial settings are increasingly part of the business attack surface.

A broader labour issue also sits behind the coverage problem. The report cited the ISC2 2025 Cybersecurity Workforce Study, which found that 59% of security professionals reported critical or significant skills gaps, up from 44% a year earlier.

Kristian Wright, Founder and Chief Executive Officer of Enhanced.io, said the imbalance between endpoint coverage and the rest of the attack surface should draw more scrutiny. "Endpoint is the part the industry does well. The other four surfaces are where attacks are growing fastest, and for two of them nobody has measured whether anyone is watching at all. The missing number is the finding. If the industry has not checked whether MSPs monitor a surface, the honest reading is that most do not," Wright said.

The report's methodology is likely to shape how it is received across the channel and cybersecurity sectors. Because it relies on published industry research rather than new survey work, its conclusions depend on the scope and quality of third-party data. But that approach also lets it highlight where no data exists at all.

Enhanced.io said every figure in the study is tied to a named source, publication date and sample size, and that no statistic was estimated or inferred. Where coverage data could not be found, the report records that absence as part of the picture rather than filling the gap with assumptions.

That leaves a stark division across the five surfaces examined: endpoint appears well covered and well measured, cloud shows a measurable shortfall, network monitoring appears limited beyond the perimeter, and identity and IoT and OT remain areas where public evidence on managed service provider coverage is thin or non-existent.